Blackbaud Security Incident – what to consider

Blackbaud has informed its clients of a security incident.

Protecture’s initial thoughts are:

  1. Blackbaud has taken the security incident seriously, and have taken significant measures in response.
  2. They have some assurance from the hacker that they have deleted the data they stole.
  3. They are saying they have no evidence that the data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.
  4. They also have no evidence that it hasn’t been misused…
  5. They are using a company to monitor the dark web as an extra precautionary measure.
  6. Financial data was not subject to the incident.

The questions to consider now:

  1. The key question for both whether to report to the ICO and/or the individuals affected is the actual or potential harm to people.
  2. In this case, where a major supplier has a breach, the reporting to the ICO almost becomes less significant as they will be aware of the breach by Blackbaud, and aware all its clients will have been affected in some way.
  3. The important thing to consider is the potential harm to people given the nature and scope of the personal data, the context (who you are as an organisation) and purposes for which you used the CRM.
    1. Can you establish what data would, therefore, have been on the backup subject to the incident…and does this contain anything sensitive?
    2. Protecture clients could consider using our Breach Log, which has an Assessment tool where you can ask yourself questions about the breach and “score” the impact.
    3. In Covid19 times, where online scams are more likely, and cybercriminals will use any data to improve (personalise) their phishing emails, it might mean there is an increased need and expectation to inform people.
    4. This is what happened with Easyjet – see our article here:

We would also advise that you:

  1. Review your contract with Blackbaud to understand the position on liability. Then consider whether or not this is reportable to your insurers or any of your regulators.
  1. Check your internal governance procedures to understand if this matter needs to be reported to senior management.

For more help and guidance contact us here…